Yahoo to encrypt webmail sessions by default starting January

Lucian Constantin |
Oct. 16, 2013

Yahoo plans to make HTTPS connections standard for all users starting Jan. 8.

"As one of the world's most popular free webmail services providers, Yahoo gained unwelcome attention from cybercriminals in the past months resulting in XSS attacks that ended in cookie theft and subsequent account abuse," said Bogdan Botezatu, a senior e-threat analyst at Bitdefender. "The introduction of SSL will likely limit this behavior, among other dangers."

Botezatu believes that all types of digital communications should have been switched to HTTPS/SSL a long time ago. However, even though Yahoo will be late to enable it compared to other webmail providers, its decision is still salutary, he said.

Google implemented full-session HTTPS as an optional setting in Gmail back in 2008 and made it standard at the beginning of 2010. Microsoft added the option in Hotmail in November 2010 and enabled it by default for its Outlook.com webmail service in 2012.

Twitter starting rolling out HTTPS by default in August 2011 and Facebook in November 2012. Both services supported HTTPS as an option since early 2011.

The next step for Yahoo would be to switch Yahoo Messenger connections to SSL by default as well, Botezatu said. "In some regions, Yahoo Messenger usage still outnumbers other instant messaging clients, and customers rely on it for all sorts of communication, from personal to business, but these conversations are still sent in plain text, which makes it easier to snoop on by unauthorized parties."